.\" -*- coding: us-ascii -*-
.if \n(.g .ds T< \\FC
.if \n(.g .ds T> \\F[\n[.fam]]
.de URL
\\$2 \(la\\$1\(ra\\$3
..
.if \n(.g .mso www.tmac
.TH nikto 1 "4 July 2008" "" ""
.SH NAME
nikto \- Scan web server for known vulnerabilities
.SH SYNOPSIS
'nh
.fi
.ad l
\fB/usr/local/bin/nikto\fR \kx
.if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
'in \n(.iu+\nxu
[options]\&...
'in \n(.iu-\nxu
.ad b
'hy
.SH DESCRIPTION
Examine a web server to find potential problems and security vulnerabilities, including:
.TP 0.2i
\(bu
Server and software misconfigurations
.TP 0.2i
\(bu
Default files and programs
.TP 0.2i
\(bu
Insecure files and programs
.TP 0.2i
\(bu
Outdated servers and programs
.PP
Nikto is built on LibWhisker (by RFP) and can run on any platform
which has a PERL environment. It supports SSL, proxies, host
authentication, IDS evasion and more. It can be updated automatically
from the command-line, and supports the optional submission of updated
version data back to the maintainers.
.SH OPTIONS
Below are all of the Nikto command line options and explanations. A
brief version of this text is available by running Nikto with the -h
(-help) option.
.TP 
\*(T<\fB\-Cgidirs\fR\*(T>
Scan these CGI directories. Special words "none" or "all" may
be used to scan all CGI directories or none, (respectively). A
literal value for a CGI directory such as "/cgi-test/" may be
specified (must include trailing slash). If this is option is not
specified, all CGI directories listed in config.txt will be
tested.
.TP 
\*(T<\fB\-config\fR\*(T>
Specify an alternative config file to use instead of the
config.txt located in the install directory.
.TP 
\*(T<\fB\-dbcheck\fR\*(T>
Check the scan databases for syntax errors. Also checks the
plugins to ensure they are called properly and have an entry in the
plugins_order.txt.
.TP 
\*(T<\fB\-evasion\fR\*(T>
Specify the LibWhisker IDS evasion technique to use (see the
LibWhisker docs for detailed information on these). Use the
reference number to specify the type, multiple may be used:

1 - Random URI encoding (non-UTF8)

2 - Directory self-reference (/./)

3 - Premature URL ending

4 - Prepend long random string

5 - Fake parameter

6 - TAB as request spacer

7 - Change the case of the URL

8 - Use Windows directory separator (\e)
.TP 
\*(T<\fB\-findonly\fR\*(T>
Only discover the HTTP(S) ports, do not perform security scan.
This will attempt to connect with HTTP or HTTPS, and report the
Server header.
.TP 
\*(T<\fB\-Format\fR\*(T>
Save the output file specified with -o (-output) option in
this format. If not specified, default is "txt". Valid formats
are:

csv - a comma-seperated list

htm - an HTML report

txt - a text report

xml - an XML report
.TP 
\*(T<\fB\-host\fR\*(T>
Host(s) to target. Can be an IP address, hostname or text file
of hosts.
.TP 
\*(T<\fB\-Help\fR\*(T>
Display extended help information.
.TP 
\*(T<\fB\-id\fR\*(T>
ID and password to use for host Basic host authentication.
Format is "id:password".
.TP 
\*(T<\fB\-mutate\fR\*(T>
Specify mutation technique. A mutation will cause Nikto to
combine tests or attempt to guess values. These techniques may cause
a tremendous amount of tests to be launched against the target. Use
the reference number to specify the type, multiple may be
used:

1 - Test all files with all root directories

2 - Guess for password file names

3 - Enumerate user names via Apache (/~user type
requests)

4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user
type requests)
.TP 
\*(T<\fB\-nolookup\fR\*(T>
Do not perform name lookups on IP addresses.
.TP 
\*(T<\fB\-output\fR\*(T>
Write output to the file specified. Format is defined in -F
(-Format), default is text. Existing files will have new information
appended.
.TP 
\*(T<\fB\-port\fR\*(T>
TCP port(s) to target. To test more than one port on the same
host, specify the list of ports in the -p (-port) option. Ports can
be specified as a range (i.e., 80-90), or as a comma-delimited list,
(i.e., 80,88,90). If not specified, port 80 is used.
.TP 
\*(T<\fB\-Pause\fR\*(T>
Seconds to delay between each test.
.TP 
\*(T<\fB\- Display\fR\*(T>
Control the output that Nikto shows. See Chapter 5 for
detailed information on these options. Use the reference number or
letter to specify the type, multiple may be used:

1 - Show redirects

2 - Show cookies received

3 - Show all 200/OK responses

4 - Show URLs which require authentication

D - Debug Output

V - Verbose Output
.TP 
\*(T<\fB\-root\fR\*(T>
Prepend the value specified to the beginning of every request.
This is useful to test applications or web servers which have all of
their files under a certain directory.
.TP 
\*(T<\fB\-ssl\fR\*(T>
Only test SSL on the ports specified. Using this option will
dramatically speed up requests to HTTPS ports, since otherwise the
HTTP request will have to timeout first.
.TP 
\*(T<\fB\-Single\fR\*(T>
Perform a single request to a target server. Nikto will prompt
for all options which can be specified, and then report the detailed
output. See Chapter 5 for detailed information.
.TP 
\*(T<\fB\-timeout\fR\*(T>
Seconds to wait before timing out a request. Default timeout
is 2 seconds.
.TP 
\*(T<\fB\-Tuning\fR\*(T>
Tuning options will control the test that Nikto will use
against a target. By default, if any options are specified, only
those tests will be performed. If the "x" option is used, it will
reverse the logic and exclude only those tests. Use the reference
number or letter to specify the type, multiple may be used:

0 - File Upload

1 - Interesting File / Seen in logs

2 - Misconfiguration / Default File

3 - Information Disclosure

4 - Injection (XSS/Script/HTML)

5 - Remote File Retrieval - Inside Web Root

6 - Denial of Service

7 - Remote File Retrieval - Server Wide

8 - Command Execution / Remote Shell

9 - SQL Injection

a - Authentication Bypass

b - Software Identification

g - Generic (Don't rely on banner)

x - Reverse Tuning Options (i.e., include all except
specified)
.TP 
\*(T<\fB\-useproxy\fR\*(T>
Use the HTTP proxy defined in the config.txt file.
.TP 
\*(T<\fB\-update\fR\*(T>
Update the plugins and databases directly from
cirt.net.
.TP 
\*(T<\fB\-Version\fR\*(T>
Display the Nikto software, plugin and database
versions.
.TP 
\*(T<\fB\-vhost\fR\*(T>
Specify the Host header to be sent to the target.
.SH FILES
.TP 
\*(T<\fI${NIKTO_DIR}/config.txt\fR\*(T> 
The nikto configuration file. This sets nikto's global options.
.TP 
\*(T<\fI${NIKTO_DIR}/plugins/db*\fR\*(T> 
db files are the databases that nikto uses to check for vulnerabilities and issues within the web server.
.TP 
\*(T<\fI${NIKTO_DIR}/plugins/*.plugin\fR\*(T> 
All nikto's plugins exist here. Nikto itself is just a wrapper script to manage CLI and pass through to the plugins.
.TP 
\*(T<\fI${NIKTO_DIR}/plugins/nikto_plugin_order.txt\fR\*(T> 
Specifies the order that nikto's plugins will be executed in.
.TP 
\*(T<\fI${NIKTO_DIR}/templates\fR\*(T> 
Contains the templates for nikto's output formats.
.SH BUGS
The current features are not supported:
.TP 0.2i
\(bu
SOCKS Proxies
.TP 0.2i
\(bu
NTLM Authentication
.SH AUTHORS
Nikto was originally written and maintained by Sullo, CIRT, Inc. It is currently maintained by David Lodge. See the main documentation for other contributors.
.PP
All code is \(co CIRT, Inc., except LibWhisker which is \(co rfp.labs (wiretrip.net). Other portions of code may be \(co as specified.
.SH "SEE ALSO"
.URL http://www.cirt.net/ "Nikto Homepage"
